Endpoint Protection

We have a Windows small business server 2008 with SEP 12.01 that has been running for the past 2 1/2 years without problem.

Recently we have started receiving error messages in the event log:

Application Error: EVENT ID 1000
Faulting application GFValidate.exe, version 12.0.1001.68, time stamp 0x4af8be4c, faulting module MSVCR80.dll, version 8.0.50727.6195, time stamp 0x4dcddbf3, exception code 0x40000015, fault offset 0x000046b4, process id 0x3560, application start time 0x01ce35f3bc5b8c76.

This started in the new year with a few error messages a month in January and February with none in March. Since the 6th April they seem to be occuring 3 / 4 times daily.

A search of the internet seems to associate this with SEP 12 and the management of its clients. 
i.e. that the clients have become unmanaged.

I have checked the SEP console and all clients are associated correctly and have been updating with the latest definitions on a daily basis. 

The clients indicate that they are contacting successfully with no problems detected and are reporting todays date as the last connection time.

Does anyone have any ideas of where these errors originate?

Regards Andy

Is the affected client showing the green dot on the icon in the task tray?

You may need to enable sylink logging and post the log here for review.

Hi Brian,

I dont have any clients that are erroring. They all report the correct status and are green.

Hence I dont know where the error is comming from!

Regards Andy

We get a similar message: different versions (11.0.4010.17 for GFValidate, 8.0.50727.4053 for msvcr80), but same fault address (0x000046b4); and the first occurrence was 4/6/2013 at 10:39 AM. This is no coincidence. I'm running Small Business Server 2003, Backup Exec 2012 service pack 1, BESR 2010 and SEP 11.0.4014.26. We have made no changes to any clients or server that I'm aware of on or shortly before 6 April; in fact, the server had never run so smoothly, requiring no shutdowns for several weeks.

Also seeing this on a number of servers at various sites in the last few days..most with SEP 11.x

I restarted the server last night and noted this morning that there are three error messages for GFValidate.exe. These are 4 hours apart to the minute so it seems to be a scheduled event.

The clients are switched off overnight so I suspect it is possibly the SEP system collecting data via the internet from symantec.

I haven't been able to locate a log on the server that would tie this in. There is a log in the SEP console but this does not go back to that last error.

Checked the SEP console under "Admin"-> "System" at the expected time of the next occurance and noted and error logged.

Message: April 11. 2013 9:52:05 AM BST: "Unknown response. [Server: Majestic]

The messages before were at 07:51 indicating that
1) liveupdate succeeded and will run next at 11:53
2) LUALL.exe finished running
3) SEP win32 and win64 12.0.1001 is up to date
4)Truscan Win32 Win64 is up to date.

I expect that the next error will occur at 13:52 so will try and see what runs in the process log at the time.
(If I can make myself available at the time)

We have the same issue since the same date in SEPM 11.0.5.

It seems that it is linked with the update of the "threatcon" in the console every 4 hours.

We use a proxy to go to the Web but nothing change on it.

Any idea from a Symantec Technical Support ??

Hi all,

Misery loves company…I too am experiencing this issue.  I am running Win2003 Server R2 SP2, Symantec Endpoint Protection 11.0.4202.75, Symantec Backup Exec 11D (Rev. 7170 SP5 HotFix 70). 

At first I thought that the error message I am getting on the screen was related to a conflict I have between the UPS software and SEP (I updated the UPS software on 3 April 2013 followed by a reboot).  But luckily I am a meticulous documenter, so I now realize that I first saw the error message on 7 April 2013.

Like some others here, sometimes I see that the error messages come every 4 hours, but not throughout the day.  In addition, the error messages get queued and so the log sometimes shows it only when I access the server.  Therefore, I cannot conclude that it's occurring at regular intervals.

Note that the SEP server is indeed downloading updates and the clients are receiving them.  The clients remain managed & show the green dot in the icon.  I see no functional problems, just these error messages.

Here is error I'm getting (I edited out some stuff) in the Win2003 Application log, it's similar to what others have reported:

"Event Category:(100), Event ID:  1000….[EDITED] Description:Faulting application GFValidate.exe, version 11.0.4202.73, faulting module msvcr80.dll, version 8.0.50727.3053, fault address 0x000046b4."

Here's the error in the Win2003 System log (edited), this refers to the error I'm seeing on the screen:

"Event Type:Information, Event Source:Application Popup,Event Category:None, Event ID:26 …[EDITED] Description:Application popup: Microsoft Visual C++ Runtime Library : Runtime Error! Program: C:\Program Files\Syman...[NOT EDITED HERE, THE MESSAGE DOESN'T SHOW THE ENTIRE PATH] This application has requested the Runtime to terminate it in an unusual way."

The SEP Manager shows the following error repeatedly, but it has been showing it for many months so I doubt that it's connected: "Invalid log record, too few fields".  I have never really investigated this, but again, it doesn't appear to me to be related to this issue.

So while this isn't a critical error for me since SEP seems to be working, I don't like seeing error messages pop up on my server screen…so I hope somebody finds a resolution to this problem.

I have been recently seeing this too. My story is virtually the same as the others listed here. SEP 11.0.4 WIndows 2003 Server R2 SP2. Periodically getting GFValidate.exe errrors. Updates seem to be going out to all the clients normally.

I am having the same issue running Version 11.0.5002.333 on an XP machine.  I first saw the problem 3 days ago. Everthing is also working fine on my system, just getting the error messages.

Message "Faulting application GFValidate.exe, version 11.0.5002.282, faulting module msvcr80.dll, version 8.0.50727.6195, fault address 0x000046b4."

I noticed today that 3 seconds after seeing the error in the Windows event viewer Application log that I am getting an entry in the SEP server log for an "Unknown response " for the computer that is getting the GFEValidate error. (In this case it is the same computer)

I started having these issues as well.  The only thing that would have changed on this server:

• Microsoft Security Updates that just came out Tues night/Wed morning: 
     - Update today - KB2813345
     - Update yesterday: KB2808735, KB2813170, KB2817183-IE8, KB2820917

• Usual hourly SEPM definition updates

The info for this problem show as:

 

Error Signature -----------------------------

szAppName: GFValidate.exe

szAppVer: 11.0.4202.73

szModName: msvc80.dll

szModVer: 8.0.50727.3053

offset: 000046b4

C:\DOCUME~1\(i removed my user name)\LOCALS~1\Temp\WERd9d2.dir00\GFValidate.exe.mdmp

Windows Server 2003, SP2

I did run CCleaner and remove and temp system files but it still shows this error.

I hope this helps Tech Support fixure this out.

To: Andy West, jdenegre, BigFoot12, M-L, TigerHawk27 & ncbruns

All of you need to update your Endpoint Protection

12.0.1000 is very outdated Small Business Edition

Any SEP 11 that's not 11.0.7300 is also too old.

Please consider upgrading to either 11.0.7300 or 12.1.1100 (RU2 MP1)

I don't mean to sound simplistic but UPGRADE!

MJD

Seeing this on lots more servers now...

I'm guessing this is happening all over the place, seems something is going on at Symantec ?

Like the poster above says, all of these servers are very likley not on the very latest versions, most are on SEP 11.0.6.x which we found to be the most stable release by far.

As for SEP 12.x  ..does it work properly yet ?

I've got several sites running the latest 12.1.2015 and it's a complete nightmare.. 

..it pretty much renders Windows XP unusable ( I know they need to get off that as well )

So..is anyone who has a SEP 12.1.2015 installation getting this GFValidate error ? that would be interesting to know...

I think we're all getting a cheeky push from Symantec  ;-)

Hi

Can you please confirm whether it is blocking or taking time to open

Regards

Hi,

sofar I know this issue appeared until the release of  SEP 11.0.6005.562 ( RU6a ) which contains a fix already. It should not appear in the version 11 RU6a and above.

The versions 12.0 or 12.0.1001.95 is an equivalent of a SBE for the 11.x releases.. and are very old.

I've never observed this problem in the 12.1.x versions (EE or SBE).

@BigFoot12 >>> you're right- it is related to the "threatcon" and it's officially fixed in the verison I've already mentioned.

For anyone running the 12.0 or 12.0.1001.95 SBE version I would suggest to upgrade to the 12.1.x SBE version.

For anyone running the 11.x - lower than 11.6.6005.562 I would suggest to upgrade to that release or above (11.0 RU7 MP3 is highly recommended )

 Migrating to Symantec Endpoint Protection 11.0.7300 (RU7 MP3)
http://www.symantec.com/business/support/index?page=content&id=TECH199189

Workaround  >> it is not an official solution ( the upgrade is ) but you can test it on your own risk.

1. Copy pmem2.dll from SEPM RU6a( or higher) environment. It is placed under the SEPM Install folder\Bin.
2. Replace pmem2.dll on your SEPM ( the file is located in the same directory ) and restart the machine.
3. The GFValidate.exe error should not appear anymore.

I hope this will help you to resolve the issue.

Have a good Friday Everybody !

Regards,

Drl

OK, Thanks a lot.

It seems that the post of Druzil affraid my server(s) because they work like a charms since this morning without any action.

I also do not want to take the glory of the discovery and thanks a lot @NV31 for its in depth analysis of the SEPM product.

FF @NV31 for twitter friendly

Interestingly enough, the application failures have stopped happening!

The last one was on Friday evening and none since. No changes have been made to our systems so I suspect that the failure was due to an external resource being either unavailable or not working at symantec.

upgrading software isnt always the answer!

Regards Andy

Misery does love company - SBS 2008, Server 2008(terminal server), 15 clients SEP 12.1.671.4971 just started to get "GFValidate.exe has stopped and was closed" on the terminal server within the last month. No direct impact on operation of the server that I can see, so I have not given this a high priority. Seems that there is something going on and it would be nice for Symantec to step up an figure this out. Hope this provides some insight.

Steve

Hi all,

Like Andy West & BigFoot12, I can happily report that the problem seems to have gone away.  The last error I got was on April 14th.  I didn't take any action that would have caused the problem to be resolved. 

I would agree with Andy that the source of the problem was most likely external to us customers - a resource at Symantec or something with the updated definitions during the time period that the issue appeared.

Now we can all go back to our servers and deal with our other issues....

-Michael

Hi

Can you please upgrade to latest version of SEP

Regards

SameerU ...that's easy for you to say..

What about people who are on older hardware that will struggle with SEP 12.1.2 ?

When you've tried it on a fully loaded Windows Server 2003, or Windows Server 2008 for that matter, then come back and report..

The latest SEP 12.1.2 seems to have a huge overhead

Problem does seem to have gone away though, so like all the others say, this appears to be an issue connecting to something external, most likely at Symantec..